Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Larissa Gaston of Exabeam examines the nuances of updating your business’s messaging in an ever-changing cybersecurity landscape.

In today’s highly competitive cybersecurity landscape, everything can change in the blink of an eye. The cloud, which powers most modern business operations today, is continuously evolving and introducing new complexities– and cyber threats.

According to Check Point’s 2022 Cloud Security Report, 27 percent of organizations have experienced a security incident in their public cloud infrastructure within the last 12 months. Of these, nearly a quarter (23 percent) were caused by security misconfigurations in cloud infrastructure. Additionally, Verizon’s Data Breach Investigations Report reveals ransomware has continued its upward trend with an almost 13 percent rise– an increase as big as the last five years combined.

In turn, the demand for security services is continuing to increase, making the market more competitive than ever. Gone are the days when organizations can sit on their messaging for three to five years. To stay relevant in the sea of competitors, cybersecurity organizations need to be continuously analyzing their messaging and structure to understand what is and isn’t resonating with end-users. The most important thing your messaging must do is quickly, clearly, and concisely be able to explain exactly what you do and the value that you provide in the market.

How often have you gone to a technology or cybersecurity website and left still not knowing what the company actually does? You’re not alone. If you’re in the hot seat to help refine messaging for your organization, know that it will require a nuanced approach. Also, roll up your sleeves and don’t give up— it’s not for the faint of heart.

Messaging: Navigating the Nuances

Copycat Vs. Original

There are a variety of ways an organization can approach a messaging overhaul. One way is through an in-depth competitor analysis and then simply copying what you think they are doing well. While that strategy may work for some organizations in the short term, it will not help them continue to stand out in the long term. After all, you want to communicate with your differentiators. That being said, we have seen a handful of competitors over the years steal messaging verbatim from companies we’ve served. While it’s flattering, it’s also disappointing. If you’re going to steal messaging, at the very least, steal like an artist.

To forge a new and unique path, point of view, and perspective, you have to talk differently. Challenge your organization to take a risk, be brave, and do something no one else is doing. Yes, you may not be successful, but at least you know that you stayed true to your organization, your people, and its mission. If you do succeed, the end result will feel that much more rewarding. It pays to be brave.

Crafting Company Messaging — It’s A Lot like Couples Therapy

Arriving at your organization’s truth at the heart of your messaging is a delicate exercise. All departments with a stake in messaging, and even individuals within those departments have their own version of the truth. Interestingly a recent report found only 35 percent of organizations have a dedicated person or team that works on content marketing full time. This is especially true for smaller companies that have one to 99 employees, while 50 percent of small companies have no dedicated content marketing personnel.

This is all the more reason organizations are turning to third parties for help. And when your end goal is creating a holistic message that the majority agree to, it can also be helpful to hire bipartisan professionals. The process of arriving at a consensus can almost feel like couple’s therapy. I know that might sound weird, but stay with us on this.

When you are trying to fix something internally, you can get stuck. People can become so fixated on their version of the truth, what happened or worked in the past, what is not working now, and how they envision things can work better in the future that they can’t open their minds to new information and perspectives. When we began to revisit our messaging at Exabeam, we tried to work at it for five to six months before we realized that we had hit a wall. We knew that we needed to hire help.

At its core, creating messaging is an exercise in trying to figure out who you are as an organization and how you want people to view your brand, clearly position what you do and how you’re differentiated from the competition, and how you authentically and transparently talk to your customers and partners. Similar to a relationship, a messaging exercise is a commitment; just like couple’s counseling is a commitment. When a third party is involved, it can serve as a source of accountability that encourages people to show up and be engaged.

Third parties are there to build consensus and ensure a level playing field. While they may or may not be the people who come up with the actual words or message themselves, they will work a process and encourage participation from everyone involved to negotiate which ideas work best. If organizations handle a messaging exercise internally, there will be bias, period.

Messaging Matchmaking

Before even consulting with a third party, the first and most important step is internal buy-in. It is critical to have the right people on the messaging team, which needs to include stakeholders from every facet of an organization. It is also critical that the C-suite takes a firm stance behind the messaging, which will foster buy-in from all key stakeholders including engineering and technical teams, HR, and more.

Once that is in place and you are ready to hire outside help, it is important that the people you hire are aligned with your niche market and audience. Knowing your needs as an organization and what your end goal is with the messaging exercise can help you find the right fit. Find a third party that speaks the same language and can easily grasp what sets your product, services, and organization apart. If your end goal is sales, then find a third party that understands the sales process specifically in your industry.

Rolling Out the Red Carpet

Timing is critical for a messaging roll-out. There are pros and cons to this, but try to avoid doing it during a major product launch since the risk of creating market confusion could increase. In our most recent messaging overhaul we renamed our products and fit them under the new message. If we did not do this, then we could have been stuck with products and platforms with the older name and potentially created more confusion. In the end, it was great we had previously messaged ourselves with XDR, because we got into the right conversations and started the XDR Alliance, but I do still feel we created some market confusion as a result. We emerged with New-Scale SIEM, clarifying our market and differentiators.

Live. Learn. Hire Help When It Makes Strategic Sense

Throughout the process, try to step back, breathe, and have a holistic view. It is a very interesting experience to watch how people interact, make decisions, and share perspectives. You can learn a lot about your people, yourself, and the shared passion you all have for your work.

Back to the counseling analogy, it’s like “Are we staying together or getting divorced?” The people who commit to working through the tough stuff together in a healthy way, especially when the tough stuff may be very difficult to work through, make all the difference in whether you will sink or swim.

The post Messaging: Navigating Nuances in an Ever-Changing Cybersecurity Landscape appeared first on Solutions Review Technology News and Vendor Reviews.

The editors at Solutions Review examine and debunk some common UEM myths that might be plaguing your workplace.

Myths and misconceptions around solutions such as Unified Endpoint Management (UEM) software can lead to misuse, underuse, and potentially catastrophic failure in successfully deploying such software. Enterprises must debunk myths surrounding UEM because misinformation can lead to misunderstandings and missed opportunities. By clarifying the realities of UEM, organizations can make informed decisions and fully leverage the benefits offered by this comprehensive endpoint management solution. Debunking common UEM myths enables organizations of all sizes to recognize that UEM is not limited to large enterprises. Smaller businesses may assume that UEM is beyond their scope or budget, missing out on its advantages. Understanding that UEM can be tailored to suit their needs allows smaller enterprises to adopt a holistic approach to endpoint management, enhancing efficiency, security, and scalability.

The editors at Solutions Review look at some of the more common UEM myths and break down how they can prove dangerous to you and your team.

7 Common UEM Myths That Hurt Businesses

Here are some common UEM myths:

1. UEM is only for large enterprises: This is a common myth that UEM solutions are only suitable for large organizations. In reality, UEM can be implemented by businesses of all sizes, including small and medium-sized enterprises. UEM offers scalability and flexibility to meet the needs of different organizations.
2. UEM is limited to mobile devices: While UEM originated as a mobile device management (MDM) solution, it has evolved to encompass all endpoint devices, including smartphones, tablets, laptops, desktops, and even Internet of Things (IoT) devices. UEM provides a unified approach to managing and securing diverse endpoints.
3. UEM is complex and challenging to implement: UEM solutions have become more user-friendly and streamlined over time. They offer intuitive interfaces and centralized management consoles, making deployment and administration more accessible. UEM providers often provide comprehensive documentation and support to assist with implementation.
4. UEM is an unnecessary cost: Some organizations may consider UEM as an unnecessary expense. However, the cost of managing and securing endpoints individually can be higher in the long run. UEM provides a consolidated and efficient approach, reducing the complexity and cost of managing multiple tools and platforms.
5. UEM invades user privacy: One concern is that UEM solutions invade user privacy by allowing organizations to monitor and control devices. While UEM does offer management capabilities, including remote wipe and application management, it can be implemented with privacy considerations. Organizations can define policies that balance security needs with user privacy concerns.
6. UEM is only about device control: UEM goes beyond device control and management. It enables organizations to enforce security policies, manage application lifecycles, ensure compliance, and protect data across endpoints. UEM offers comprehensive endpoint security and management capabilities.
7. UEM eliminates the need for other security tools: UEM is a powerful tool for managing endpoints, but it does not replace the need for additional security tools. UEM can integrate with existing security solutions, such as antivirus software, firewalls, and threat detection systems, to provide a layered defense approach.

Debunking UEM myths is vital for enterprises to make informed decisions, embrace the full potential of UEM, and unlock its benefits. By dispelling misconceptions surrounding UEM, organizations can optimize endpoint management, improve security, enhance productivity, and position themselves for success in today’s digital landscape.

Widget not in any sidebars

This article on common UEM myths was AI-generated by ChatGPT and edited by Solutions Review editors.

The post Debunking 7 Common UEM Myths That Hurt Businesses appeared first on Solutions Review Technology News and Vendor Reviews.

Solutions Review Finds the best cybersecurity books available on Amazon right now. You need to add these to your collection today. 

Are you an IT professional who wants to brush up on your cybersecurity knowledge? Books, whether hardcover or digital, are an excellent source for people looking to learn about a specific field of technology, and security is no exception. We’ve listed the best cybersecurity books that you should add to your reading list. These books are intended for beginners and experts alike and are written by authors with proficiency and/or recognition in the field of cybersecurity.

The Best Cybersecurity Books on Amazon

Cybersecurity Ops with bash: Attack, Defend, and Analyze from the Command Line

Our Take: Carl Albing is a software engineer and teacher with a breadth of industry experience, with a Ph.D in Computer Science. Paul Troncone has over 15 years of experience in the cybersecurity and information technology fields. 

Description: Authors Paul Troncone, founder of Digadel Corporation, and Carl Albing, coauthor of bash Cookbook (O’Reilly), provide insight into command-line tools and techniques to help defensive operators collect data, analyze logs, and monitor networks. Penetration testers will learn how to leverage the enormous amount of functionality built into nearly every version of Linux to enable offensive operations.

Go To This Book

The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime

Our Take: Scott Augenbaum built his career investigating cyber crimes for the FBI. He has a wealth of experience which small businesses could easily utilize.

Description: Cybercrime is on the increase internationally, and it’s up to you to protect yourself. But how? The Secret to Cybersecurity is the simple and straightforward plan to keep you, your family, and your business safe. Written by Scott Augenbaum, a 29-year veteran of the FBI who specialized in cybercrimes, it uses real-life examples to educate and inform readers, explaining who/why/how so you’ll have a specific takeaway to put into action for your family. Learn about the scams, methods, and ways that cyber criminals operate—and learn how to avoid being the next cyber victim.

Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World

Our Take: Marcus J. Carey is a cybersecurity community advocate and startup founder with over 25 years of experience. Jennifer Jin is a communications and marketing professional focused on the cybersecurity industry. 

Description: Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. 

Cybersecurity Is Everybody’s Business: Solve the Security Puzzle for Your Small Business and Home

Our Take: Scott N. Schober is a cybersecurity expert presenter, inventor, author, and CEO of a top wireless tech & security firm. He has the knowledge your business can benefit from. 

Description: There are 30 million small businesses currently operating in the United States. Some of them are single-owner/operated while others collectively employ hundreds of millions. This book is for all of them and anyone who makes it their business to stay safe from phishing attacks, malware spying, ransomware, identity theft, major breaches, and hackers who would compromise their security. We are all in this together which is why cybersecurity is everybody’s business. Scott and Craig Schober examine a multitude of cybersecurity issues affecting all of us.

Hacking the Hacker: Learn From the Experts Who Take Down Hackers

Our Take: Roger A. Grimes has worked in the field of computer security for over 27 years as a professional penetration tester. He knows how hackers think. 

Description: Hacking the Hacker takes you inside the world of cybersecurity to show you what goes on behind the scenes and introduces you to the men and women on the front lines of this technological arms race. Twenty-six of the world’s top white hat hackers, security researchers, writers, and leaders, describe what they do and why, with each profile preceded by a no-experience-necessary explanation of the relevant technology. Light on jargon and heavy on intrigue, this book is designed to be an introduction to the field; final chapters include a guide for parents of young hackers, as well as the Code of Ethical Hacking to help you start your own journey to the top.

Solutions Review participates in affiliate programs. We may make a small commission from products purchased through this resource.

Our Buyer’s Guide for SIEM helps you evaluate the best solutions for your business use case and features profiles of the leading profiles, as well as a category overview of the marketplace and a Bottom Line Analysis for each vendor profile.

Widget not in any sidebars

The post The Best Cybersecurity Books on Amazon in 2023 appeared first on Solutions Review Technology News and Vendor Reviews.

For each Solutions Review Finds post, our site editors shop for the best products, sift through the reviews, measure the top sellers, and report back with our picks. Here are the best cameras for video marketing. Solutions Review participates in affiliate programs and may make a small commission from products purchased through this resource.

Canon EOS M6 Mark II

SUMMARY: The Canon EOS M6 Mark II is a notable improvement for Canon’s mirrorless cameras. This model blends consistently high-quality optics with a compact design, a 32.5 Megapixel CMOS (APS-C) sensor, DIGIC 8 Image Processor, a high-resolution 3″ LCD tilting monitor, and 4K video recording. Videos shot with the camera will also use the camera’s face tracking, eye detection, and autofocus features so that users can track moving targets. 

PROS

• Accurate autofocus
• 4K video supports the use of the full width of the frame
• Reliable face and eye detection

CONS

• Lack of weather sealing
• Higher price
• No IBIS

OUR TAKE: Whiit on the pricier side, the Canon EOS M6 Mark II is regarded as one of Canon’s best mirrorless cameras. The full-width 4K video recording capabilities (which are not as common as you may think) and autofocusing features make this an excellent tool for marketers breaking into the video marketing field. If you’re looking for a cheaper alternative, the Canon EOS Rebel T7 is a popular option amongst consumers, especially those just getting started in the world of videography.

Nikon Z 30

SUMMARY: The Nikon Z 30 is the brand’s most compact, lightweight mirrorless video camera. The camera is equipped with fast, reliable autofocus, several AF Area Modes capable of adjusting to quick shifts in detail, eye-detection autofocus, image stabilization, a flip-out touchscreen selfie monitor, and more. And with its 3-inch LCD touchscreen, which can tilt up and down, users can easily shoot in high-quality resolution.

PROS

• Can record video for up to two hours straight
• Tilting LCD touchscreen
• Compatible with every NIKKOR Z lens

CONS

• No HDR recording
• Sometimes overheats
• Lack of EVF

OUR TAKE: The Nikon Z 30 may not be the camera for professional videographers who need all the newest and most dynamic features since it’s primarily geared toward content creators, vloggers, and streamers. However, it stands as a compelling option for marketers looking to get into video, as it’s an easy-to-use, reliably high-quality product that can scale with the user as their needs change. There’s even an affordable accessory package to help marketers get started!

Panasonic LUMIX G85

SUMMARY: The Panasonic LUMIX G85 is a DSLM camera equipped with the technologies and practical functionalities Panasonic users want and is paired with a compact body ideal for field use. The newly advanced 5-axis Dual I.S. (Image Stabilizer) suppresses blurring, so users can comfortably capture 4K video in 3840×2160 at 30p (60Hz) or 24p in MP4 formats. Other notable features include a 3″ touchscreen display with tilt and swivel capabilities, a weather-sealed body, dual image stabilization, and more.

PROS

• Sharp 4K (UHD) video
• Articulated LCD touchscreen
• Remote control capabilities via smartphone

CONS

• 4K videos are cropped by a factor of 1.10
• Underwhelming battery life
• Subpar low-light performance

OUR TAKE: This camera offers video marketers just about all the tools and features they need to shoot sharp, unique content for their audience. While it has its detractions, the 4K video—even with the 1.10 crop—and impressive image quality make this a compelling option in the mid-range pricing market. The camera’s remote control capabilities and overall durability are also big perks, as they make the Panasonic LUMIX G85 a unit you can take just about anywhere.

Sony a6400

SUMMARY: With the a6400, Sony has created a camera that strikes a successful balance between the needs of consumers and professional enthusiasts. The Sony a6400 is equipped with features like a 24.2 MP Exmor CMOS sensor, a 0.02-second autofocus speed, real-time autofocus and targeting functionalities empowered by machine learning technology, a 180-degree tiltable LCD touchscreen, and 4K video recording at 24, 25, or 30fps. The camera also supports Bluetooth, NFC, and Wi-Fi.

PROS

• 4K video without cropping or recording limitations
• Built-in pop-up flash, EVF, and hot shoe
• AI-enhanced tracking functionality

CONS

• Lack of in-body image stabilization (IBIS)
• No external battery charger
• The camera is not entirely weatherproof

OUR TAKE: The Sony a6400 is a great mid-market camera for marketers who want something more advanced than an entry-level product but without the cost of a professional-level unit. Its 4K video functionalities are reliably excellent. Unlike other cameras at this price point, you don’t have to worry about your footage being cropped or cut off after a certain amount of time has transpired—you’re free to film until the battery dies if you want. Some users may wish to upgrade the a6400 with a full-frame lens—the FE 24-105mm is a popular option—at some point, but the out-of-box capabilities should be more than enough for your video marketing needs.

Sony ZV-1

SUMMARY: Sony’s ZV-1 is a camera made with content creators and vloggers in mind. While it shares similar tech with Sony’s RX100 line, the ZV-1 branches out by focusing more on video-friendly capabilities and features. For example, ZV-1 includes image stabilization, face and eye detection, autofocus, and a metering system to maintain proper exposure in changing light conditions. Other features for videographers include a built-in microphone, 4K recording at 24 or 30fps, and a product showcase mode that automatically adjusts the focus when an object is centered.

PROS

• Sleek, compact form factor
• Terrific audio capture
• Impressive 4K video

CONS

• Disappointing battery life
• Narrow lens
• Touch functionalities are limited

OUR TAKE: If you’re looking for an accessible but reliable camera, the Sony ZV-1 is a fantastic option. It’s best suited for smaller marketing teams, especially ones focusing on more compact videos. The compact design, vlogger-friendly features, and reliable audio and video will quickly meet the needs of marketing video content. If you plan on taking the camera on the go, you will probably want to look into an accessory kit that includes a selfie stick or tripod, which will help compensate for the narrower lens.

NOW READ: The Best Video Marketing Courses Worth Taking

The post The 6 Best Cameras for Video Marketing to Consider Using appeared first on Solutions Review Technology News and Vendor Reviews.

Solutions Review’s Solution Spotlight with Rubrik is entitled: See How University of Reading Safeguards Their Data with Rubrik.

What is a Solutions Spotlight?

Solutions Review’s Solution Spotlights are exclusive webinar events for industry professionals across enterprise technology. Since its first virtual event in June 2020, Solutions Review has expanded its multimedia capabilities in response to the overwhelming demand for these kinds of events. Solutions Review’s current menu of online offerings includes the Demo Day, Solution Spotlight, best practices or case study webinars, and panel discussions. And the best part about the “Spotlight” series? They are free to attend!

Why You Should Attend

Solutions Review is one of the largest communities of IT executives, directors, and decision-makers across enterprise technology marketplaces. Every year over 10 million people come to Solutions Review’s collection of sites for the latest news, best practices, and insights into solving some of their most complex problems.

With the next Solutions Spotlight event, the team at Solutions Review has partnered with leading zero trust data security vendor Rubrik. The resource webinar will showcase how the immeasurable volumes of data in your Microsoft 365 environment are at risk. And now that Rubrik is partnered with Microsoft, its Microsoft 365 protection is even stronger.

• Salvatore Buccoliero, Sales Engineer at Rubrik: Salvatore is a Senior SAAS & Security Sales Engineer who enjoys working with customers to secure enterprise data. Salvatore gets motivated by working with disruptive products and fast-growing organizations and has experience since the 2000’s in launching new vendors and distributing products.
• Kevin Mortimer, Head of Operations at the University of Reading: Kevin, Head of Operations at University of Reading, has been a Rubrik customer since 2018. Kevin is a self-motivating, enthusiastic technologist at heart with a focus on service management. Innovative emerging technologies have always been a core value for infrastructure services.

About Rubrik

Rubrik is one of the most widely used enterprise data protection solutions in the world. Rubrik provides data protection and data management in hybrid IT environments. The platform is a scale-out-architecture-based data protection tool with cloud integration, live mount for Oracle databases, support for Office 365 backup, and support for SAP HANA backup. Rubrik‘s solution is recommended to buyers looking to protect highly virtualized on-prem environments and hybrid environments that leverage Microsoft Azure and AWS.

FAQ

• What: See How University of Reading Safeguards Their Data with Rubrik
• When: Thursday, July 20, 2023, at 12:00 PM Eastern Time
• Where: Zoom meeting (see registration page for more detail)

Register for Solutions Review’s Solution Spotlight with Rubrik FREE

The post What to Expect at Solutions Review’s Spotlight with Rubrik on July 20 appeared first on Solutions Review Technology News and Vendor Reviews.

The editors at Solutions Review examine and debunk some common SIEM myths that might be plaguing your workplace.

Myths around SIEM (Security Information and Event Management) can hinder a successful deployment. By debunking these myths, organizations gain a realistic understanding of what SIEM solutions can and cannot accomplish. This understanding enables them to make informed decisions about security strategies and allocate resources effectively. It encourages a more holistic approach to security, where SIEM is seen as a valuable component within a more extensive security framework. Moreover, debunking SIEM myths helps organizations recognize the importance of skilled security personnel. While SIEM solutions automate specific tasks, human expertise is essential for effective threat detection, incident response, and decision-making. Understanding this dispels the myth that SIEM eliminates the need for security professionals and highlights the importance of investing in a skilled security team.

The editors at Solutions Review look at some of the more common SIEM myths and break down how they can prove detrimental to you and your team.

5 Common SIEM Myths

Let’s dissect some common SIEM myths:

• Myth 1: SIEM solutions provide complete security: SIEM solutions are powerful tools for security monitoring, but they are not standalone security solutions that can guarantee complete protection against all threats. SIEM systems collect and analyze security event data from various sources but rely on accurate data input and proper configuration. Organizations must implement additional security measures like firewalls, intrusion detection systems, and antivirus software to enhance their overall security posture.
• Myth 2: SIEM solutions eliminate the need for skilled security personnel: While they automate log collection and analysis, they do not eliminate the need for qualified security personnel. SIEM systems generate alerts and reports based on predefined rules, but human expertise is necessary to interpret and respond to these alerts effectively. Security analysts play a vital role in investigating incidents, identifying false positives, and implementing appropriate remediation measures.
• Myth 3: SIEM solutions are too complex and challenging to implement: Implementing a SIEM solution can be tough, but it is a myth that SIEM solutions are overly complicated. With technological advancements and user-friendly interfaces, many SIEM solutions offer simplified deployment options and intuitive dashboards. However, allocating the necessary time and resources for proper planning, configuration, and ongoing maintenance is crucial to ensure the SIEM system aligns with the organization’s specific security requirements.
• Myth 4: SIEM solutions only benefit large organizations: While they are commonly associated with large enterprises, they can also benefit organizations of all sizes. Small and mid-sized businesses can leverage SIEM to enhance their security posture, detect and respond to security incidents, and meet compliance requirements. Several SIEM solutions are available in the market, catering to the specific needs and budgets of organizations with varying sizes and resource constraints.
• Myth 5: SIEM solutions deliver immediate results: Implementing a SIEM solution is not a one-time fix for all security challenges. It requires continuous fine-tuning, updating correlation rules, and adapting to evolving threats. Initially, it may take time to configure the SIEM system accurately and establish baseline behavior patterns. Investing in ongoing monitoring, analysis, and maintenance is essential to derive meaningful insights and maximize the value of a SIEM solution.

Ultimately, debunking SIEM myths empowers organizations to make informed decisions, develop comprehensive security strategies, and optimize the effectiveness of their cybersecurity measures. It ensures that SIEM solutions are implemented and utilized to align with the organization’s security needs, mitigate risks effectively, and enhance overall resilience against evolving threats.

Widget not in any sidebars

The post Debunking 5 Common SIEM Myths appeared first on Solutions Review Technology News and Vendor Reviews.

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Amy Baker of Security Journey schools us why, amidst tech layoffs, enterprises need to invest in education to counter the AppSec Dilemma.

From mass redundancies at Big Tech firms like Google, Meta, and Microsoft, to reducing teams in SMEs and small fintech startups, layoffs are impacting thousands of tech and cybersecurity workers. These professionals now face greater competition for fewer technical roles, while employers are left with the challenge of restructuring and retaining remaining staff. In this environment, investment in people has never been more important – in particular, investment in education. Without addressing the inevitable skills gap that comes with reducing the workforce, upskilling those now taking on more responsibility, and demonstrating a commitment to retained staff, it will be hugely challenging to deliver on customer promises or remain competitive whilst secure in a crowded market. This is especially pertinent for the areas of the tech industry that are currently under the most pressure, and companies who develop software for their own use or for their customers exist front and center of this issue.

The ‘AppSec Dilemma’ Amidst Layoffs

The dilemma facing those who develop software is one that has only been compounded by a market where businesses of all sizes are tightening their purse strings, laying off staff, and anticipating the inevitable change that comes with evolving technologies like AI. The problem is that those developing code are already over-worked – 83 percent of software developers feel burnout from their work – and a drive towards DevSecOps and shifting security left is piling on even more pressure for development teams, who may not even have the education or knowledge on how this is best achieved.

At the same time, threat actors are diversifying their approaches while the attack surface grows; critical vulnerabilities increased by 59 percent between 2021 and 2022. It’s therefore clear that baking-in security from the very start of software development is a must to ensure that vulnerabilities are proactively mitigated. Yet, with more skilled professionals being let go and teams running on a skeleton workforce, how can developers cover even more ground and become security experts alongside fast and innovative coders?

It is essentially the role of the industry to ensure their developers and everyone working across the software development lifecycle (SDLC) to support them are empowered with knowledge on how to protect the software supply chain.

Training and Collaboration in the Industry

The reality is only 62 percent of developers learn to code in college or university settings, and even then, not one of the top 50 undergraduate computer science programs requires a course in code or application security for majors, according to Forrester. While there are plenty of routes into software engineering, tech – and cybersecurity in particular – is incredibly fast-moving, so what is taught one month may well be outdated the next. Programmatic education and continuous secure coding training driven by industry is therefore a must, even in a time when the AppSec dilemma isn’t compounded by layoffs.

By upskilling developers and the SDLC team in areas like secure coding, employers not only invest in their teams’ career development and provide the essential skills and knowledge often not covered in traditional education settings like universities, but it is also an opportunity to encourage better collaboration. It’s not uncommon to see developers and security professionals at odds with each other – the former is driving innovation and wants to release code faster, while the latter prioritizes reducing vulnerabilities and only shipping software if it is secure. Yet this lack of collaboration is unsustainable within a smaller team and with a greater focus being put on DevSecOps.

In a reduced workforce, developers will become an integral cog in the secure coding machine to enable the security department to continue delivering secure software. Both teams need continuous education that allows them to bridge the divide, understand each other’s pain points, and recognize how best they can communicate and compromise with the aim of creating the best product or service. A good starting point is to nominate a security champion within the development team, who can own all activities and opportunities regarding secure coding education programs, as well as drive partnerships and projects between the security team and the development team.

Ultimately, businesses should want to invest in their staff. By doing so in a way that bolsters cybersecurity resilience, they not only position themselves as worthwhile organizations to remain employed with, but also weather the storm often brought by layoffs and restructuring while not sacrificing security. Layoffs are a necessary evil in a challenging economic environment, yet at the same time, skills in secure coding have never been more valuable. Considering the current AppSec dilemma that has even fewer professionals in place to solve it, investing in continuous training to boost skills and collaboration across the SDLC is now non-negotiable.

Widget not in any sidebars

The post The AppSec Dilemma: Investing in Education Amidst Mass Tech Layoffs appeared first on Solutions Review Technology News and Vendor Reviews.

The editors at Solutions Review have curated this list of the most noteworthy identity management and information security news for the week of July 7. This curated list features identity management and information security vendors such as SandboxAQ, Dig Security, Kivera, and more.

Keeping tabs on all the most relevant identity management and information security news can be a time-consuming task. As a result, our editorial team aims to provide a summary of the top headlines from the last month, in this space. Solutions Review editors will curate vendor product news, mergers and acquisitions, venture capital funding, talent acquisition, and other noteworthy identity management and information security news items.

Widget not in any sidebars

Identity Management and Information Security News for the Week of July 7

DISA Awards SandboxAQ Other Transaction Authority Agreement

SandboxAQ, a quantum security solutions provider, this week announced it has been awarded the Prototype Quantum Resistant Cryptography Public Key Infrastructure Other Transaction Authority Agreement by the U.S. Defense Information Systems Agency (DISA). DISA, which provides a globally accessible enterprise IT infrastructure in direct support to joint warfighters, national-level leaders, and other mission and coalition partners, selected SandboxAQ from a pool of vendors after a three-phase process. To deliver on this program, SandboxAQ selected Microsoft, which will provide the DevSecOps platform, and global systems integrator Deloitte & Touche LLP for their respective software and services capabilities.

Read on for more.

Dig Security Announces Support OCR For Image Classification

Dig Security, a data security solutions provider, this week announced it has added support for Optical Character Recognition (OCR) to the Dig Data Security Platform. Dig can now detect sensitive customer data in image files, such as passports and driver’s licenses, that are stored in multi-cloud environments. OCR capabilities are critical as enterprises increasingly collect and store data in image files, and unless they can map all the sensitive data, it remains open to mass exposure. The new OCR capabilities enable Dig customers to identify sensitive data hidden in image files and move it to a secure environment. In one user’s environment — a company that validates customers via a driver’s license or passport — Dig found that the number of images containing Personal Identifiable Information (PII) was as high as the total number of customers. Dig found 80K images in one bucket.

Read on for more.

Thales Report: “Cloud Assets the Biggest Targets for Cyberattacks”

Thales, a cloud security solutions provider, announced the release of the 2023 Thales Cloud Security Study, its annual assessment on the latest cloud security threats, trends and emerging risks based on a survey of nearly 3,000 IT and security professionals across 18 countries. This year’s study found that more than a third (39 percent) of businesses have experienced a data breach in their cloud environment last year, an increase on the 35 percent reported in 2022. In addition, human error was reported as the leading cause of cloud data breaches by over half (55 percent) of those surveyed. This comes as businesses reported a dramatic increase in the level of sensitive data stored in the cloud. Three quarters (75 percent) of businesses said that more than 40 percent of data stored in the cloud is classified as sensitive, compared to 49 percent of businesses this time last year. More than a third (38 percent) ranked Software as a Service (SaaS) applications as the leading target for hackers, closely followed by cloud-based storage (36 percent). ​

Read on for more.

Deloitte and the World Economic Forum Collaborate to Launch the Quantum Readiness Toolkit

This week, in collaboration with Deloitte, the World Economic Forum (The Forum) released actionable guidance to help protect organizations during the rapid development of quantum computing technology. The Quantum Readiness Toolkit provides specific guidance in line with the overall framework presented in last year’s flagship report, Transitioning to a Quantum-Secure Economy. Advancements in quantum computing have the potential for systemic cybersecurity risk, whether through increased breaches of sensitive health and financial personal data, compromised private communications, or forged digital versions of information, identities and sensitive data. The new paper, Quantum Readiness Toolkit: Building a Quantum Secure Economy, outlines five principles businesses and organizations should follow when building their quantum security readiness.

Read on for more.

Kivera Welcomes Joe Lea as CEO

Cloud security company Kivera this week announced the appointment of Joe Lea as Chief Executive Officer of the company. In this role, Lea will oversee and manage the company in its mission to “provide a generational leap in cloud security through proactive policy enforcement.” He will focus on the operations as well as the strategic direction for Kivera, ensuring growth and success of Kivera’s Cloud Security Protection Platform (CSPP). Lea is a veteran in the enterprise and cybersecurity spaces. With 25 years of operating experience including serving Boards of Directors and advising startups, he most recently held the role of President at Shift5 where he managed operations as the company raised its Series A through B rounds while deepening its customer base within the U.S. Department of Defense (DoD). Before that, Lea led Product for IoT security trailblazer and asset intelligence platform, Armis, from its earliest days through its unicorn status. Prior to that, Lea led Product at Tanium, the endpoint management and security platform used by half of the Fortune 500 which is valued at $10B.

Read on for more.

Expert Insights Section

Watch this space each week as Solutions Review editors will use it to share new Expert Insights Series articles, Contributed Shorts videos, Expert Roundtable and event replays, and other curated content to help you gain a forward-thinking analysis and remain on-trend. All to meet the demand for what its editors do best: bring industry experts together to publish the web’s leading insights for enterprise technology practitioners.

Prioritizing Vulnerabilities Through Knowledge and Automation

Jacob Baines of VulnCheck examines how automation and shared knowledge can aid teams in prioritizing vulnerabilities. CISOs and security teams are at a real disadvantage these days in dealing with the exponentially growing list of software vulnerabilities. Teams are inundated every month with new lists of weaknesses via Patch Tuesdays, threat research from cybersecurity organizations, and other vendor resources. The challenge, however, is knowing which vulnerability to fix first, which is an increasingly complex problem as workloads continue to increase. It can leave teams working to address minor or low-priority threats while letting more critical ones linger for months or longer. The need to prioritize the most severe vulnerabilities and fix them quickly is urgent, as research shows they can be exploited in a matter of days. But while the information on new vulnerabilities that organizations regularly receive is helpful, it doesn’t offer much assistance in identifying which poses the most significant risk to them. In this new threat environment, the need to establish a process for assessing the risks posed by a vulnerability is just as critical as identifying them in the first place.

Read on for more.

Widget not in any sidebars

The post Identity Management and Information Security News for the Week of July 7; SandboxAQ, Dig Security, Kivera, and More appeared first on Solutions Review Technology News and Vendor Reviews.

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Jacob Baines of VulnCheck examines how automation and shared knowledge can aid teams in prioritizing vulnerabilities.

CISOs and security teams are at a real disadvantage these days in dealing with the exponentially growing list of software vulnerabilities. Teams are inundated every month with new lists of weaknesses via Patch Tuesdays, threat research from cybersecurity organizations, and other vendor resources. The challenge, however, is knowing which vulnerability to fix first, which is an increasingly complex problem as workloads continue to increase. It can leave teams working to address minor or low-priority threats while letting more critical ones linger for months or longer.

The need to prioritize the most severe vulnerabilities and fix them quickly is urgent, as research shows they can be exploited in a matter of days. But while the information on new vulnerabilities that organizations regularly receive is helpful, it doesn’t offer much assistance in identifying which poses the most significant risk to them.

In this new threat environment, the need to establish a process for assessing the risks posed by a vulnerability is just as critical as identifying them in the first place.

Prioritizing Vulnerabilities Through Automation

Teams Don’t Have Enough Time or Information to React

The time it takes for threat actors to exploit a vulnerability has been shortened extremely over the past five years. In 2018, the average time to weaponize a vulnerability was about a year. Today, serious threat actors can weaponize a new vulnerability in just eight days. Security teams trying to defend against the latest threats no longer have a lot of time to analyze most of the vulnerability information they receive.

That might not be such a problem if they could identify the most serious threats, because only about 2.25 percent of vulnerabilities developed in the wild are used in active attacks and weaponized threats. But security teams don’t have that insight. Organizations have a lot of threat intelligence available to them, from sources such as the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), MITRE’s CVE database, and the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) Catalog. However, the time it takes for vulnerabilities to show up on those lists is far too long. In fact, advisories from vendors and security researchers, government alerts, and exploits in the wild often pre-date a vulnerability’s appearance on NIST’s NVD by 50 or more days. Nor do these databases necessarily cover all vulnerabilities. CISA’s KEV Catalog, for example, is a valuable resource and is widely seen as an authoritative source. But in a year-long analysis of KEV, we found that it did not include 42 actively exploited vulnerabilities that had already been assigned CVEs.

Even relying on Common Vulnerability Scoring System (CVSS) ratings doesn’t help prioritize vulnerabilities because, as NIST points out, CVSS scores measure severity, but not actual risk. A vulnerability may be critical according to its CVSS, but only high or even medium in terms of the risk to a specific organization. Teams spending their time remediating that vulnerability could be missing a more severe threat to their unique environment.

The information in those resources is undoubtedly valuable for standards-based vulnerability management. Still, it doesn’t provide a way to identify and prioritize the 2.25 percent of vulnerabilities that pose the most serious risks. As such, organizations need to rethink their own approaches to managing vulnerabilities.

4 Key Questions About Vulnerabilities

Security teams can start by asking — and answering — a few questions, including:

1. Is there a public exploit? Is there code in the wild that would allow a threat actor to exploit a vulnerability so that they could attack an application, service, or device? Whether exploit code exists can help determine where the vulnerability sits on your priority list.
2. Has the vulnerability been exploited in the wild? If another organization has been attacked or exposed by the vulnerability, the game is afoot. The attacker is likely looking for other susceptible organizations, so moving forward with remediation should be a priority.
3. Is the vulnerability being used in ransomware or APTs? Threat actors involved with ransomware or advanced persistent threat (APT) campaigns often have more skill and resources than some other hackers, making them very capable of wreaking havoc for financial gain. If a hacker or group is leveraging the vulnerability, quick remediation is a must.
4. Is this vulnerability likely to be internet-exposed? If a vulnerability can affect anything that connects to the internet, from APIs to authentication processes, it could make it easier for hackers to access your network.

Automation Can Provide Real-Time Answers

Asking these questions is one thing, but finding answers to them takes time and resources that security teams don’t often have. Organizations may need to look for a solution that provides automated threat intelligence and exploit activity monitoring drawn from a variety of sources to help prioritize responses at machine speed. Such a platform can be extremely valuable if it allows teams to take immediate action to mitigate the most critical vulnerabilities before threat actors can attack.

Being able to autonomously search for, synthesize and unify threat, vulnerability, and exploit intelligence into one unified database, and prioritizing vulnerabilities according to how much of a threat they are to the organization can make a huge difference in being able to protect networks from the latest exploits.

Given today’s threat landscape and how rapidly it’s evolving, such an asset is quickly becoming a requirement for any effective cybersecurity team’s defensive toolkit.

Widget not in any sidebars

The post Prioritizing Vulnerabilities Through Knowledge and Automation appeared first on Solutions Review Technology News and Vendor Reviews.

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Peter Morgan of Phylum predicts that the future of AppSec depends on successfully force-multiplying the talent pool.

To plan for the future of Application Security (AppSec), we must rethink our ability to hire and retain talent. Ahead of the economic downturn of 2022, Application Security roles had double-digit negative unemployment rates. These roles were difficult to fill due to the number of roles open, and the challenging experience required by them. These variables caused compensation to skyrocket, and massive tech companies will scoop up more of this small skilled talent pool, leaving gaps for everyone else. This paints a picture of the future reality where application security programs cannot scale as they exist today. There simply is not enough talent to go around for everyone without change. To solve this, we need to consider how AppSec engineers can become force multiplied.

One of the shifts AppSec will need to make is the proper use of tools to enable skilled AppSec engineers to cover many more developers than they currently can. To accomplish this, we’ll need to consider changes in the software development process to assist this effort.

The Future of AppSec

Standardized Development Languages

The shift to microservices changed the landscape for how companies write software, hire developers and manage their infrastructure. Microservices brought the idea that developers can use the best language for the job, as long as the API contract is upheld. This was a tremendous improvement in many ways. Unfortunately for security tooling, this effectively destroyed the Static Analysis Security Testing (SAST) category of tools.

Back in the day, companies had “house languages.” If you worked there, you either wrote in C, C++, Java, or .NET for the most part. House languages were great for SAST tools, because it meant a smaller set of language support to reach that ever-so-critical inflection point of value to customers of SAST. Microservices changed everything. Today’s application from 40,000 feet is spread across many more languages. While there is a benefit to mapping the right language for the job, some of this sprawl comes from developer experience (DX). Developer experience sprawl can be seen in both choice of source code language, and choice of in-language framework. Merits aside, this presents significant difficulties in successfully using SAST and Dynamic Analysis (DAST) security tools.

Effective static analysis is one of the most challenging problems in both computer security and computer science. Most of this stems from the deep analysis required to identify a meaningful amount of vulnerability classes. Yet, if you poll the product satisfaction of a group of engineers forced to use SAST products, you will likely be cleaning yourself off from the vomit of complaints of false positives. This problem might seem more tractable with recent advances, except for the sprawling language requirements most companies now have. SAST products struggle to maintain the breadth of language support while providing the depth analysis capability needed to provide customer value.

Standardized Development Frameworks

Along with the shift to microservices that weakened the value of SAST tools to security teams, DAST has experienced a similar issue, albeit related to software frameworks used to rapidly architect software products. The explosion in the number of frameworks used by companies today means it’s extremely difficult for DAST product vendors to do a good job on a small set that provides lots of value to their customers. This is similar to the depth vs. breadth problem in SAST.

DAST tooling usually needs to understand how data flows through an application and where security boundaries live. DAST is a bit like setting up a debugger on the target software and recording the analysis during runtime to identify violations of security controls but in a highly automated environment. If you must customize for application, it will be untenable to the speed of development. Often in the past, DAST products were/could be developed around development frameworks, such as Python’s Django or Ruby on Rails.

I argue that a significant percentage of the language and framework choices made over the past five years have been more for developer experience (DX) than for the project’s needs. DX-driven choices in the framework became drastically less impactful once microservices had already weakened the utility of the then-current state of SAST capability. We can reign in the framework sprawl through standardization and enable DAST tools to provide additional value to our AppSec engineers.

A Foundation for Solving Modern AppSec Challenges

AppSec approaches will need to evolve in order to solve future challenges. Standardizing to both a reduced set of accepted development languages and a reduced set of accepted frameworks will enable security tools to empower AppSec engineers through force multiplication. Awareness and planning in advance can enable streamlined access to the future state where AppSec is more resilient to staffing challenges and the ever-increasing speed of software development.

The post The Future of AppSec Depends on Force Multiplying Talent appeared first on Solutions Review Technology News and Vendor Reviews.